Phishing Phishers—Observing and Tracing Organized Cybercrime Dominik Birk 1 , Sebastian Gajek 1 , Felix Gr¨ obert 1 , and Ahmad-Reza Sadeghi 2 Horst G¨ ortz Institute for IT-Security Ruhr University Bochum, Germany 1 {dominik.birk|sebastian.gajek|felix.groebert}@.rub.de 2 sadeghi@crypto.rub.de Abstract—We investigate the paradigm shift from the real- world organized crime to the organized cyber crime, in particular with regard to identity theft through phishing and the methods deployed for the purpose of money laundering. Our work is based on our collaboration with banks and lawyers within the working group identity protection on the Internet (a-i3 1 ) as well as phishing victims in Germany. We report on case studies and analyze strategies used by phishers. We propose a forensic framework concept for identifying and tracing financial agents involved in the associated criminal network. Finally, we shortly discuss some open problems. I. I NTRODUCTION Organized crime poses a crucial threat to an economic system and has been subject of investigation by many ex- perts from different fields of knowledge. Organized crime is defined as those unlawful activities performed by organized associations 2 , usually using a variety of legitimate businesses in parallel to suppress its criminal activities, drug trafficking, money laundering, extortion, blackmailing, hijacking, etc., as well as the criminal actors involved. The primary motive of the traditional organized crime is profit, however, it may also be driven by ideological and political motives. A practice of organized crime is money laundering (or “cleaning” dirty money) that concerns methods of engaging in specific financial transactions in order to conceal the source and/or destination of the money, which is obtained by means of criminal activities. Today, however, the term money laundering also defines any financial transaction, which generates a value as the result of an illegal act (e.g., tax evasion). Although a variety of technical and legal measures have been developed to model, identify, and to trace different forms of money laundering, still the authorities and investigators are faced with the increasing complexity of the methodologies deployed. The impact and importance of financial crime has been increased due to the estimated economical damage they may cause. A similar development and evolution of crime can be observed in the digital world. Since the World Wide Web emerged and numerous services are available digitally, today 1 https://www.a-i3.org 2 see US Organized Crime Control Act 1970, available at http://www.usdoj. gov/usao/eousa/foia reading room/usam/title9/110mcrm.htm we face a novel form of crime known as cyber crime. We notice a prolonged proliferation of spam, malware and denial- of-service attacks used to, e.g., distribute unsolicited adver- tisement, illegitimately access confidential information ranging from users’ credentials to business secrets, or to extort group of companies disabling their online presence. A folklore belief in the past, at least in public view, was that cyber crime is an act of an individual or a group that may have criminal incentives (e.g., [1]), but still cannot be considered as organized crime. This has changed. Cyber crime is getting organized as known from the real world and a prominent example are phishing attacks [2], [3], [4], [5], [6]. Certainly, there have been cyber crimes such as deals with black-market goods on Internet auctions, however, phishing attacks differ in quality and quantity: Today, a variety of actors are involved, each being responsible for a specific task, making phishing attacks modular and flexible. An open and widespread environ- ment such as the Internet provides many opportunities to those actors to recognize like-minded players and get organized in a extremely short time, overcoming prosecution as judicial enforcements lacks appropriate regulations beyond national barriers. We investigate the problem of identity theft on the Internet, in particular through phishing, and its role for the organized cyber crime and money laundering. Based on our studies, close cooperation and information exchange with banks, lawyers and phishing victims in Germany we argue that we are faced with a new paradigm of organized cyber crime. We analyze the strategies deployed by phishers in particular with respect to money laundering. Based on these observations we model this threat and propose and discuss some ideas for a framework that deploys forensics to identify and trace the actors involved in such a criminal network. Outline. Our work is structured as follows. In Section II, we analyze the strategies of cyber criminals in context of phishing and present a model with regard to technical and money laundering issues. In Section III, we discuss counter- measures. In Section IV, we sketch open problems, before we conclude the paper in Section V. Second International Conference on Internet Monitoring and Protection (ICIMP 2007) 0-7695-2911-9/07 $25.00 © 2007